Updating Security Operations For The Cloud

More and more companies are deploying production workloads to the cloud (in all of its definitions), and that’s a very good thing.

Unfortunately, this shift has highlighted an area where we–the information security community–are a little weak. That weakness is in sharing best practices and discussing the ups and downs of operating security in hybrid and full cloud environments.

Areas of Practice

I’ve written about this before and wanted to circle back on the topic while diving a little deeper. This post introduces my focus for the next couple of months and serves as my call to arms for you, the reader.

First, let’s take a look at the operational areas that we need to address. The questions I highlighted in my last post provide some insight on where to look:

How do I efficiently monitor all of these environments?

Can I make sense of what’s happening regardless of where it’s happening?

Is effective incident response possible across environments?

To start answering these questions, we need to look at our monitoring and incident response processes. Rounding things out, we should also look at audit response and how we handle forensics. These four areas are the pillars of your day-to-day security practice.

Best Practices?

This is the area of the post where I go on a little rant so bear with me. I usually don’t rant, but there is an ongoing challenge that I think we need to address as a community.

That challenge is the lack of sharing of operational best practices.

Take a moment and try to find a good resource on the challenges of running a SIEM day-to-day. Or on how to evaluate packet data. Or a process for responding to a malware incident.

Yes, there are a few, but compare the number your found to the multitude of security architectures and frameworks that are available. We need more papers in places like the SANS Reading Room. We need more front line analysts blogging.

What we will gain by sharing far outweighs the perceived risks.

What’s Next?

I’m going to put my money (well, effort and time anyway) where my mouth is. Here on the blog, I’ll be writing up a few thoughts on each of these areas (audit response, monitoring practices, incident response, and forensics) as they relate to hybrid and cloud environments.

I’ll also be covering these topics live at a variety of events, starting with the AWS Summit in San Francisco. I’ll also be working on contributing to some more formal outlets like the SANS Reading Room.

What I’d like from you are your thoughts and ideas on the best way to share this information. Is there an existing forum where we can share (and hopefully, I’ve just missed it, and this isn’t an issue!)? Do we need a new community site?

What’s the best way for our community to help each other out with this?

Please contribute you thoughts in the comments below or on Twitter (where I’m @marknca). Let’s work together to help ensure that everyone can increase their level of security in these environments.